Pages

Critical Linux Vulnerability Discovered

Hundreds of open source packages, including the Red Hat, Ubuntu,
and Debian
distributions of Linux, are susceptible to attacks that
circumvent the most widely used technology to prevent eavesdropping on
the Internet, thanks to an extremely critical vulnerability in a widely
used cryptographic code library.
The bug in the GnuTLS library
makes it trivial for attackers to bypass secure sockets layer (SSL) and
Transport Layer Security (TLS) protections available on websites that
depend on the open source package. Initial estimates included in Internet discussions such as this one
indicate that more than 200 different operating systems or applications
rely on GnuTLS to implement crucial SSL and TLS operations, but it
wouldn't be surprising if the actual number is much higher. Web
applications, e-mail programs, and other code that use the library are
vulnerable to exploits that allow attackers monitoring connections to
silently decode encrypted traffic passing between end users and servers.
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates.